Yahoo’s Vulnerability Disclosure Program Policy

Yahoo’s information security team, the Paranoids, are committed to protecting our brands, our partners, and our users. As a part of our commitment, the Paranoids, along with outside researchers, regularly test for new ways our adversaries might attempt to impact our systems. These tests assist in uncovering vulnerabilities in systems and software written by Yahoo, as well as in open-source and commercial products used within our networks. 

If you believe you have identified a security vulnerability, we encourage you to use one of the following reporting options described in this Vulnerability Disclosure Program Policy (the “Policy”) so that we may investigate and take appropriate action. Below we also outline how and when we disclose vulnerabilities involving third parties.

Your participation in Yahoo’s Vulnerability Disclosure Program (the “Program”) is voluntary and subject to the terms and conditions set forth in this Policy.  By reporting a vulnerability to Yahoo, you acknowledge that you have read and agreed to fully comply with this Policy.

Yahoo maintains the right to terminate this Program at any time with or without notice.  We may amend this Policy at any time by posting a revised version on our website. By continuing to participate in the Program after any such changes, you accept the Policy’s terms and conditions as modified.  

Reporting a vulnerability to Yahoo

Outside researchers have the opportunity to report vulnerabilities to Yahoo through our programs at HackerOne or Intigriti or by contacting us directly. Yahoo will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy. 

Bug Bounty Program Researcher Reporting

Yahoo utilizes HackerOne and Intigriti for bug bounty reporting. Researchers are invited to our public program for select Yahoo brands. Details on our HackerOne programs can be found at: https://hackerone.com/yahoo. Details on our Intigriti programs can be found at: https://app.intigriti.com/programs/yahoo/yahoobugbounty.

The details of how Yahoo responds to reports submitted through HackerOne or Intigriti are outlined in the various program documents available at the respective links provided above. 

Independent Reporting

Researchers may not want to report the vulnerability through our bug bounty programs for various reasons. Should this be the case, we invite you to directly contact the Paranoids at security@yahooinc.com. 

Note that reports submitted through email are not eligible for awards. 

Vulnerability reports sent to security@yahooinc.com are reviewed by the Paranoids. To the extent information shared about a security issue is not public knowledge, Yahoo will keep this particular information confidential and will not disclose the information to third parties without the researcher’s permission, unless a disclosure is: (1) required by law or legal process, (2) in response to a lawful request from a government agency, or (3) necessary or appropriate, as determined by Yahoo in its sole discretion, to protect our users or our brands.

Rules of Conduct

Yahoo requires the following of researchers:

• Researchers may not publicly disclose, or otherwise share information regarding vulnerabilities to any third party pertaining to Yahoo's intellectual property, without Yahoo’s express written permission.
• Researchers must send reports using the PGP key listed below to secure all communications. 
• When investigating a vulnerability, researchers may only target their own accounts. Researchers may not interact with an individual Yahoo user account, including modifying or accessing data from an account, if the account owner has not expressly consented to such interaction.
• Researchers may not, and are not authorized to, engage in any activity that would be disruptive, damaging, or harmful to Yahoo, its brands or its users. 
• Researchers may demonstrate an issue using a proof of concept, but may not use a finding to compromise/exfiltrate data, or pivot to other systems, without Yahoo’s express written permission.
• Researchers may not violate Yahoo’s Terms of Service or Privacy Policy or any applicable laws or regulations, including any laws or regulations governing privacy or the lawful processing of data.

Emails sent to security@yahooinc.com unrelated to a submission of a vulnerability, including requests related to HackerOne or Intigriti, might not receive an acknowledgement.

Coordinated vulnerability disclosures to third parties

When a vulnerability is discovered in a third party system, Yahoo follows an industry standard coordinated disclosure process:

• Yahoo will make a reasonable attempt to disclose these newly discovered vulnerabilities directly to the vendors or through a third party coordinator designated by the vendor as soon as possible after discovery.
• Yahoo expects the vendor to acknowledge, respond, and communicate updates to Yahoo throughout the process. 
• During the first 90 days after initial communication, Yahoo will not disclose the vulnerability to any other entity, unless a disclosure is: (1) required by law or legal process, (2) in response to a lawful request from a government agency, or (3) necessary or appropriate, as determined by Yahoo in its sole discretion, to protect our users or our brands. Yahoo will give the vendor the opportunity to resolve the vulnerability in a reasonable amount of time.
• After 90 days, if the vendor has not responded or has not demonstrated a good faith effort to resolve the vulnerability, Yahoo may, in its sole discretion, choose to publicly disclose the vulnerability, along with any potential mitigations.

PGP public key

Download: Yahoo Security PGP Public Key

Fingerprint: 9419 8BFB A6C7 661F BF0C BAFE 3016 A263 BDF8 3ABD

Do not send messages encrypted with this public key to any email address other than security@yahooinc.com.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Universal 3.4.2 (Build 206)

mQINBFxldG8BEADgtDELm+wVXnUfGyp0cdvmblnz2ljP6cLjh3sFC0fYPPamfPTsAjlWxI2JMR6V1Tzaqo4CpgqeIZ3eoE7lPLn+7A8jXTuodcoMvd1UChPrChBXMEPQ/Hhx4U+DSynRJKoMOB/CR+QzoQpuT59N6gZCnk69YBBGjYtIc/IhTuC4VkFaPHEQRvmZLOpZCZtOAZDXo22zwyde3fgfLikSv0qYnpv5PpW90a/T7TV1qGJlo5g7mJHrRvKMnbSrdISRFYdF1zph1JnXcTHZl/MA7H9gxu/brXIKnKp/PGLrLpFZefOMN/m9F/dCM0MR8OqSS4/RBonbTWfjEZf8103mhAEWWItmtKXcBmdrWyGCfaemrn/9b5yV+ZL3GfNoTnpmN43Hk6Ux9t+6D35DDfrX7rtbDRJdzvjJbGJIhrjnp+aToO95+Zlcou86c2xXwAdXK5JT4YmDL1c7cQKNKtT9JboGC6XbM+mtT+dV+yYo0P5+aUrZRvb+QyzaNK0B7HIgVZt1jaUpYjgXPBSDsEsxfcF+Z1sg9M8/c6Xj7bmC16Odu9dE5jyiedjRM6bF5fo0M6E3BEBQ1qmAq+1p6fxP9Ut51kKyjfdLcyvpxHnewpdsXZvdwQcxTkvwiDKJFv2J3Lu9Qp1UmWlajHF3lNzC8XVoTYyArcc55QCGM4pLHpbXQARAQABtDJWZXJpem9uIE1lZGlhIFNlY3VyaXR5IDxzZWN1cml0eUB2ZXJpem9ubWVkaWEuY29tPokCUQQTAQgAOwIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYhBJQZi/umx2Yfvwy6/jAWomO9+Dq9BQJcZXU/AhkBAAoJEDAWomO9+Dq9+AIP/jgq6ypreOMbnpCV6MRCTYEqh2wlzf4Pe83VfHH1a3+vDhUcVqRWGIBAO5bUXiIyaffeGFG4/P09Q+6peWauxs0mcBCNsVBFbOW2jc7G5TQABl7CU0Yqm3bva5LlZXb7q8bxajkZ+CgBmEu9m7CvBiqAEPk+BzHA7NlTrlH7hS9iQeKD/6r38+y6gPmYuIJzxin8C9GpgE3Uh43Z9GIIDswCU/zUQN5SeBNHYeYKSsevoijEwrgdZ77i3ny8Eo5NS8fVblG+mdmc uzDfCFr/RLOodB1/8J1hEGPE6ai6ZCcc/hgVBosT3Sn2j5Pi66u6+dKYLQn34MmgWkKp/JZv1rLEDANABjjSz5SQmL1cd6Ek1Svid0Lh3OcrL6voElXmrM+tb8FqOMRr8xo8HTFFRMzZhgXqwoLdUHSGnRRcles99ov/bg9t++Ci7opAWgbYqGZMsiqwqfKoeQ1OLCApN9Dr6t1/jtdIY4gM+VFM84vWQTTFHXAfsKorDfLjemWwkgAyAAwlzGKTBuxcr7wkmuynyggu4y7hlMtoXUdESVqKtepT4oLvwbqa0wojwkVOY4ArWA4hj+R0SXQ9qG821qoqp1tkMR8cBjRSpkGErG4UUua+tr7GnOBD5wJtIDNqTljqctEwFgcwjxMjrV1z2u7PsMF28SziUKteXV0JH5cCiQEiBBABAgAMBQJcZbkLBQMAEnUAAAoJEJcQuJvKV618bWMH+QF0mdz+1SQ2SwGqS4iMN5aaxsLeSsEDXkBK4qUeO7zwoFTqtxHmHZNQcn0N0SyIIO82yOsv1OyAp4gDNuSk4Ked71tvI/54U56JsIMbCV1O13ObZrEyISagaGNWeEDJ2c3w/+h0mBH8oK7Ts/5nQeXeftMAnvoLfv6cKjKZiRrdFPh/QbMXa3BGImJMb9PXYZ2JumVOKm8mkynYETSTOoxPg+SqdGLP4QbcYNWJ9/y9vAK5KadZ4sGEl5APwR3uCHUOj3FuIJ45KUxgWmTgS7LcDrVhEOoKJb4CDyN3MmDefb022H56qNG1OGdA++BxsQyLU8AP6FUtmOkFjcxvwpC0J1lhaG9vIFNlY3VyaXR5IDxz ZWN1cml0eUB5YWhvby1pbmMuY29tPokCTgQTAQgAOBYhBJQZi/umx2Yfvwy6/jAW omO9+Dq9BQJcZXU3AhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEDAWomO9 +Dq90rcP+wR+n5PnmJHd6Dnh0Zkjj7YS0HPcGYsPsdf/BJ8WPvjyEbUJjg8jQ1Dk ozo8lnpLtO9wgOuZFcVoVnMeDCIm+dRAxWQ95Ykxq5faEsya9shfPwXzhqVzwHxd O6yBL2Zx0FaAiYyAsM0vjQBdJzdT/QlQHkZX92JX8FQzfoqo1/pci+K7wX2cE9hi BvxpCf2lY5pfqysU9u/ICFLQ5gfAl1oA07GYg8VEk3jxzV9TU2PhfK2cQUw6hxCu MFGIopwyk3rqwp9ld7aDRscXa57IhkCnusx+XZa8ZSgDSY+U2XYo+hs9p2Z3Fhmr oyIrGhR4fbiikFY0DHH401NPycyWMX7tS1p2WuiB43PzCyvMOItDTp+Je1Nb9P1U ZqMr8lZ3e4zRCHalzY2GE7wME9IWte9pbaVBcyZY+rZSZSuC/xB0TNrelsQoRFhp TAAX2zAHyT/dXbyFRaCxHT76N9vpG+Oqp+r6nqVWdd6lOwp/NA44IVUw5C/3alyO 1HfrsEkh6h4EkrNRBIwqHKpg3QTYUPOxIf17v87TBYYW5Yq0MZmK4kbp7388vo7q aDI6xj68/ciXL7mGO/ARGDqeZJwRCF3KCLQ00bcyjOPborw23aurkq0F1oY56+Dp imQeuhY4eVONfBQOrxh2H75Q1k+a2OQkfH/39qxttR2DQlIZJqjQiQEiBBABAgAM BQJcZbkLBQMAEnUAAAoJEJcQuJvKV618szgIALrMw+HMFZr6EHxcVBTVap4oqMEr IOlb2yg2HFneECkP2TX6aVHxbSoov/A3qGzxcbosaNNvdAibE4mz6t6CA9awKMjR Utc4gkHSkpAZIsKOzdwdImOygg6QbccGN9ifoLHQmcHhSqX/eILR4wzWnMrDpin9 CwFMX05hJxsL4NIObG6SCCKtflz+4dsNNyl3/xY7MqFn3EV4MU9EEQtUB69d3gEf TH9RAqGkfqrAwaWZOJNEsqR8Vwj8Gv5lQkp1i9lwWJJTWtkdQlvRCpuUtjf55TKw oGKuP0l5guCeD+PZhDDa2Gpho2ZCxx+yve6UAYVBJdQ+9zxQgMhsir/saMK0IU9h dGggU2VjdXJpdHkgPHNlY3VyaXR5QG9hdGguY29tPokCTgQTAQgAOBYhBJQZi/um x2Yfvwy6/jAWomO9+Dq9BQJcZXVqAhsDBQsJCAcCBhUICQoLAgQWAgMBAh4BAheA AAoJEDAWomO9+Dq9XtoQAICP/xBMhzx1SLc3wo3smPJ7UTSw6ijc9qNWFoBvajse EvzwtnUaLVyb/5L7uwSsG12lWp8+zHfUQtANRyfB77UdHNhex4xLdtC59nd6iEPd E47mzBd5Rq2EJhZo/U1z1kN2WFs/bxmZx/xD8Vl9A98pa+cXCv8dxdWNDfCyOwCg vdD7RicBgsQsm1a1VUmWMxuiKLUlOj62a2jcuhfOXi1GDEov9vdAgnEHD15jtL8x 5usvp3JmpHkvh85ZuiJSEeV9ewa3r9FpAZbp8b+KpJ1LGpR1mCjE4BWbpAs51Z3s e6vG0hdYhX7kB5M39KDi81f7D77K8MaOK0jEOspALmt/rhg14U1jkOApnd+HHij6 Mvxqu6xv3rIr8ZcNfw7pQKrWUqoSgkcyB+tDauadwlPJPv/yirdbNSvjWQ5tp/xM GEhEHbnpRaZwv75J+D7g7h62AGq5h5WHTv7yjQkOAOtTjapwzqXJ82yTM2O5cIxm eWKKM2paqvCAJucfLY6C4EZ7yAQzqqRDF4cIamTKa1iwl0y1ZKz49JnatGtiQKKe 2k+7Cp/Y/0Xi4bxEbqBFdBt0NRzvpB+OShSW9O2+CvOzUkA+j2MQwu2zjFF7GikF K+tVypoDeEc4jw2htjzNGr6bN07QLwyf/GDcYbfMMjzsc6obGjmJp9EyIcDqI9GJ iQEiBBABAgAMBQJcZbkLBQMAEnUAAAoJEJcQuJvKV618AvIIAIruRHeNSE2y3yEL +UJf4LKxIakw9nUD/7+bpalz9bVHvR1ODaQhPxP1Vpxbi8jTiCasNBRTM/6u2pbi 1b7KiufQX12wuvZK0R4RSAUXGfhBCZick0DEDPsAcEpu2bdu51W0avXEOoVY3b6y kbwxKz3ZkBgKueXdZgCriZEwJmMXJQMBy1Zec+q7Oq5REbUmeXwVIurI7OPR2+Qn IBypWyyZwS4Ds6EyRMnqLhzItNqTaukIf6613R15WYiJPQbY1rnYT5z2Y7KxCG37 0GZGdUISd5X2TwVtOWz6qvGjJc87UuQhTGqHDkdY7goCvDVD/aDHULHuS+1nXtyh LpRf8Y60IUFPTCBTZWNWdWxuIDxzZWN2dWxuQHRlYW1hb2wuY29tPokCTgQTAQgA OBYhBJQZi/umx2Yfvwy6/jAWomO9+Dq9BQJcZXWUAhsDBQsJCAcCBhUICQoLAgQW AgMBAh4BAheAAAoJEDAWomO9+Dq9ixEP/058cDrhszIebdQYw8Yf4DwxD0fH+SYk 3LZ63BFmtLmbctph7C83j1qNRCooJcrkU3rlb6T1i9FRgtjvFFin/PEPHYnid1Gi hyoEQY8rSb/aY2PY2oF/jYhE2QFuZA3YEJEM8cVsDyaug0r4kSgG5mJuLql+SBnG ruRXnHrltTA4bfBkt6YeXG+1zJdUpufZsiz48W1DZzgFa1Xmo8od0v24wyGtPpq5 BXlUJcEP9px+1cTKGEqsvGSDTqlAN1MAXNn4mpxKQov79VQty6aI8vat/yPIVOlp n5D4ObRSkfYgJhC/tad4QznjDWohx8RItclgMuOHUG7EipCeadq9FRl6uQg34Ram bTQd3tfaZmTOaZBEwjZX/kQAp229aFAJcUp0n2roX5gH1fsMZl1lwgQW9CjDbskD 38q6DYCHoW+XpCJ97BFE9abEh58cHbHnlAdilJrnuo8SVEXKdasvIqMy6BX5p2xR sQMKbKkmo309vfl8GeRjoVvXECVcfmthHNPv4ZAq36IMW1r0OkiRcHnm3HXVgU3I Y6jHc8VVp+FtiFqqyG7UyevUBTwndiJ7H3WSuFr/C2Zbo79lhjfY6xRfdXVZ2aOW CXDU9o5ivevzmytM4o8JmzZUmut7vuxu4beO433jfl/TYkBvapUFizI1lT4p6QhM 3OIUzcTN6IwziQEiBBABAgAMBQJcZbkLBQMAEnUAAAoJEJcQuJvKV61890sH/j2i aliH5FJINa3LxEC5cBBTcj2a/H37drzIMZ4e+XBUopJfiQx6A3p9oBHUwb4vkL8/ FBlkbwJpr1NqcZuVtGi/zaRXCEz7CpuSCDvWWCDnP3qQQc315VSC9jyhw0sT2BlK hyCLv0q4y+zfnav/PRoMGQspUr1dpxYgmMdasdbQDWBzf82i8NqPCZhyJxKgk8Q/ 5/leOG+ddgTiFIHlyerNUNEr+ahNcHf6NE49hoS0e30x9HNIk5bsfMrJyAELxswW MlvB42Fmqp52kvhHXKY9ZNQza0YQ/1ri/EWarAnvuW+w6nJdnpo1AyNRh6lD3mE3 Bk8JzxOa1jpGoI1inaK0H09hdGggU2VjVnVsbiA8c2VjdnVsbkBvYXRoLmNvbT6J Ak4EEwEIADgWIQSUGYv7psdmH78Muv4wFqJjvfg6vQUCXGV1pQIbAwULCQgHAgYV CAkKCwIEFgIDAQIeAQIXgAAKCRAwFqJjvfg6vWPKD/wKXcOofDUtEIW7c435VaDs aE7xbOpcwd6RXLmsUWhSoMF0dgiZcDkcQMz2a2u8eAfxk86YIMtUc6jyYrmVyupp zfGJ1ZWSepiZw9cEAD5ewrbrrJdiinoA4a/k4emyYL2Wg98Srn4zhHw7Z6mlNaHD Lxy3vEsH4/bW/8D61MCZdrG/Hcq67wcTdgvarWo6mzWvjM06cWb0pKWl6sXkBz0H btsfXY6TbBzstJEmaqFAPOOyl8bPjU7Uq+ZmVuIlSahHf84jZj1snq//ej3ViB+o hfeiVTAzo0gyBPSOUHLZN6DlVsudwLEcL5RWgBw3pi81pwnx85JGUep082HHnjS5 XAkNXs3Ne+Gr8jyATwwvqUcHK1Cb+XlexYyyB3hWLxB4TgkGyT8ZJGSu9+DNa476 cQFGtasC1Yus3gKKAS6imkzQMvqYFYOi90JbXLwEQlTvS1uRWtNvrNFtiaYRM+y8 SHKuxzNKy925bJIjk6hIVNqxkji6LS6G4LpIDfejXexxG1mQYJ9bXvoA0Qz3EMon SbctG0g3Bvh8Eb+zHfz+NKDcTYfq+Ndt4FCzxyRZYvqytza2r/6xrf5o9E9C1S90 M6DiVBIGRZbbCKUK6v/39+/gMsjthFboDG8+a+YSPP3hX7o334IKcgcLgvUnGWHW c2ER7crsFTkb7EEFRe43DIkBIgQQAQIADAUCXGW5CwUDABJ1AAAKCRCXELibylet fJecB/9YLwlhKHJycf++qvxXm0l635pUeme37weiubIbohbADm5mojqOrLzv87hA p7By/nI5GGyfrSIr1MkWZKeVpsmmrX3yaFmya4/LgDp7tMBufl5W2wa5IOpJ11ug Umd4ZY1XEwXwdvRs5Zw7YDHQ14LmlffhV7TBdWQfDr8y+IZdy+67aap8ISVdQENi Zd53eOWOY29TixLpIEpaj2nmyiVgScp4JPYVniamHs2Yocn56sTmcV9aKWkAaw4A +btxtRjF/P8B9c/hVGPGpj5g2PVtfVxYEO+aK/xRI9EvFioTMvSIJcZOsnA0tRda hFTIp8/CNb176dFsf4gBHE1wgLs7uQINBFxldG8BEADNGB/FiBIK/xjh1MnNIhaz PpTXT7co0ToGiInLKOzV/tjKPb+Ombnr1OTsE+taeNaPbPKE6lXoGId8J9bYLUj+ 6UuhaFC/8YmNLrLAaVTEVTb5Gr/Y+nIHcxZ07DRC3X0aYR8usjYhaVd0DOTXuh3T XP8bANeBvwWNF7mKhhqAibPJqTj1Z1Swmd4rJpqLrokAMMBFNLEme7OIjnnnXTDx 6+PICUp3K0a7BH0kZmsXG86HiWDk6JdXwVsoowo15P0tyxvhEeiDsVVEj7pE7Fia x3Bc2WfGKnfnU1mapfCBKrPoUxJGOnBxFU8j89MvmFfkMhyKCJkxZlA9XHPLFX88 XntEHQvu3AXTDs/vhrPt2AG0CWUBoyoQTbDK7Lqq5gyezGpXVUaij80YTAnOlM0L OjVu6TDr8ODyg6tms8GaQ4P9dF+jUDMoARp4CgoyVly0zPJrDvvH4aSDF9pEjocO bDjCyAy5L3KFYgdVxxzxH7xRkSvd0ojZtcd0oJWk3ZexgcxoJIEmxO4MbdzEcmYa l2ojx9NCvPesTC5qUcyIcFc3goOdkq6J3+3k8gKJZ14G82fTs1mZlC/an6mIiXro Bx5zxqMSzmYSyqVHOwkDHPGWtDPx30nWP0jwIb39sRH9mLj0fV2PHXUw7RMc92GT TVyGTmatzOZOsM6lRdyfKQARAQABiQI2BBgBCAAgFiEElBmL+6bHZh+/DLr+MBai Y734Or0FAlxldG8CGwwACgkQMBaiY734Or2ZoRAAw2qh4D4VM2jYMRqEktyjIxtn QkeYQQ9wZb+DVmsCiMFcED7nYYa1wgup7mad2R7av1W7M+Rc2nj41hw/FlDKMkcJ MBuT8OGximbb4ZYv/YR8kc+J3hCfEvA+JIGyumvcUybOS1b1HwZVVvYU/VBep6he d3JaxjaUlIn85FuDEuT+ylnmUCfCQ7osQ2a1JLkM31wLTQs6ozf9Tw+beq+Z62fN OIXPGpOo9adcXXfOZ6GsJlJcmi7B4MpCTqMNuQ8a2lKzf+hLuKzMSIFPCfJh2hAB nnc0jm9S8hkioqnNN1pprrjsncVH2cj4S/CMzks+wuUny9a7zjvJfBIKKl7ISiCz nWWvD063t7si9bM2Q8svc8pmg1hUs9zRqsFcleIsa7MFYun4GVLdN9JBjpsS6bjo U+lnpEIDyNZmCUCNPbXyk62UUAZKZgpgTRb9MwqIsAvUhr2uwz3AYaPQ7n8VRQAL 145ihCsmUv+pYBPH/diqE4sWQ9Bg66ifgLHQcQBivE7ylATzLYbKH0nu9QjERx7U g9z/gT3pDDFKgxGEaowb7uHpmTixo7DebsOTtFQzhHKETDbdjfYctz0l6qFUys2a oGY5SY2uFiuVIEexTwR239qfNo47dW4BQfVqQWS54C9AVIyV1jF2lyMrs6ifv8T6 jAjmBJEzItmRA4arA+E= =G1aG

-----END PGP PUBLIC KEY BLOCK-----